MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a8a6c3fe21172b98f35850739be0f78e44a30d0adb844e9f9ce7f05ce1751a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8a8a6c3fe21172b98f35850739be0f78e44a30d0adb844e9f9ce7f05ce1751a
SHA3-384 hash: b0538f337f070c902e92291a8aaa893a4d169d736876781dfd611aebd8de72a642a2295330a42a15f0d5e88fe65d9b4b
SHA1 hash: 20895b5e62f36ef101bcbe5c5f81038570a897f3
MD5 hash: bfaf1ced61ea80dc10b8ac87c18f355b
humanhash: music-nineteen-magazine-single
File name:bfaf1ced61ea80dc10b8ac87c18f355b
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:352'768 bytes
First seen:2021-06-25 03:32:11 UTC
Last seen:2021-06-25 04:41:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3696836e697e34abe8d01359a9095212 (2 x Smoke Loader)
ssdeep 6144:RRK8eF4AG+ULJHUUb5iqG0Kb1Wo+GgKkpljxKmIOqsZSNTpk:m8eF4AG+ULJHUUBPKbV+/ljxKq/4Tp
Threatray 467 similar samples on MalwareBazaar
TLSH 7A748D00BAA1C035F6F312F88976A36C993E7EB15B6040CB52D5EAEE56346E1EC31717
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfaf1ced61ea80dc10b8ac87c18f355b
Verdict:
Suspicious activity
Analysis date:
2021-06-25 03:36:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58c68c76-3e59-4d4c-bf93-98dd2f66984b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector01
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168194/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5617.13044.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a10cb62-83d8-4fbe-8560-5128ae1dd16d
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807872
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
DLL reload attack detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440283 Sample: ELx2QYnF3X Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 28 999080321yirtest231-service10020125999080321.ru 2->28 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 54 4 other signatures 2->54 7 rhtccas 2->7         started        10 ELx2QYnF3X.exe 2->10         started        12 explorer.exe 2 2->12         started        signatures3 52 Tries to resolve many domain names, but no domain seems valid 28->52 process4 dnsIp5 56 Multi AV Scanner detection for dropped file 7->56 58 DLL reload attack detected 7->58 60 Detected unpacking (changes PE section rights) 7->60 62 Machine Learning detection for dropped file 7->62 16 rhtccas 1 7->16         started        64 Contains functionality to inject code into remote processes 10->64 66 Injects a PE file into a foreign processes 10->66 20 ELx2QYnF3X.exe 1 10->20         started        30 999080321newfolder1002-01462599908032135.site 212.80.219.46, 49738, 80 SERVERIUS-ASNL Lithuania 12->30 32 999080321yomtest251-service10020125999080321.ru 12->32 34 88 other IPs or domains 12->34 24 C:\Users\user\AppData\Roaming\rhtccas, PE32 12->24 dropped 26 C:\Users\user\...\rhtccas:Zone.Identifier, ASCII 12->26 dropped 68 System process connects to network (likely due to code injection or exploit) 12->68 70 Benign windows process drops PE files 12->70 72 Performs DNS queries to domains with low reputation 12->72 76 2 other signatures 12->76 file6 74 Tries to resolve many domain names, but no domain seems valid 32->74 signatures7 process8 file9 22 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 16->22 dropped 36 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->36 38 Renames NTDLL to bypass HIPS 16->38 40 Maps a DLL or memory area into another process 16->40 42 Checks if the current machine is a virtual machine (disk enumeration) 20->42 44 Creates a thread in another existing process (thread injection) 20->44 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8a8a6c3fe21172b98f35850739be0f78e44a30d0adb844e9f9ce7f05ce1751a/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 03:32:48 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcuknq76eelsxghtlbihhg7a66hejiynblnyitu7ttt7axhbouna._file
Verdict:
suspicious
Similar samples:
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
Smoke Loader
4d62b51a9ec8a8f5a1dfc47a82789d8e5d6bb7f02573cee7b0d38f52672b8f79
Smoke Loader
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
Smoke Loader
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
Smoke Loader
a30aa51bc0554b2dedf5f0a7f29219ad301a97b5e6e4215f42973bb010345d3c
Smoke Loader
a688c4973e78911bc4d1c7dccd1e9a85c07928d9e3b56c66a89c92b3c8110eb8
Smoke Loader
b2dadf77d0f5917ce225ee0b177e4d5deb626a81ce33815f176d915ea21ba159
Smoke Loader
c8777532804b7439c5c45f731d2af0c4ec4a4978125a632334298cad647b681f
Smoke Loader
fe5c6f5e168f59382dd4fa29158156c0d917f2e15035dfe3b38043c6327f0c24
Smoke Loader
febd6a80d04be7900fb4611d98839d6a1fc4deb43cfa0378b4c79de96320275e
Smoke Loader
+ 457 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210625-mnwq6wctb6/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Unpacked files
SH256 hash:
6a14853b1504e0de00f21eb6bd2e87fb68bad887dd08661fd9f1b2937c2124a3
MD5 hash:
40505757183167a6bcec52ab7b110cc0
SHA1 hash:
0cab20ceb13f85f4ba356d446d50501dbb6f5492
Link:
https://www.unpac.me/results/dc25b8a9-5fe5-4195-bcf2-8e56cabf5534/
SH256 hash:
b8a8a6c3fe21172b98f35850739be0f78e44a30d0adb844e9f9ce7f05ce1751a
MD5 hash:
bfaf1ced61ea80dc10b8ac87c18f355b
SHA1 hash:
20895b5e62f36ef101bcbe5c5f81038570a897f3
Link:
https://www.unpac.me/results/dc25b8a9-5fe5-4195-bcf2-8e56cabf5534/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8a8a6c3fe21172b98f35850739be0f78e44a30d0adb844e9f9ce7f05ce1751a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b8a8a6c3fe21172b98f35850739be0f78e44a30d0adb844e9f9ce7f05ce1751a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168194/

Comments